Use Incident SLAs for Timely and Effective Incident Resolutions
Category: Cyware Product
Cyware Products Used:
Cyware Fusion and Threat Response (CFTR)
Problem Statement
The timely and efficient resolution of incidents poses a significant challenge for incident responders, introducing a pressing need for swift and effective responses under the pressure of time constraints. Aiming for the best service reliability is a challenge, even for skilled teams. The fact that incidents are bound to happen highlights the crucial need for promptly handling and resolving them.
The absence of a structured approach and clear guidelines for incident resolution can lead to delays, inconsistent prioritization, and manual overhead. This hampers the ability to address incidents promptly, potentially resulting in increased damage, prolonged disruptions, and a less effective incident response overall.
Solution
Analysts require a solution to simplify their incident management processes, customize response times according to incident details, and automate priority assignments for a systematic and efficient resolution. Consequently, the system must be robust enough to allow analysts to define and implement Service Level Agreements (SLAs) based on incident parameters. This enables them to orchestrate a well-organized and timely response to diverse incidents across the organization.
Respond (CFTR) provides an advanced threat response platform to proactively manage threats and define automation workflows to reduce noise, false alerts, and expedite informed response. CFTR also provides The Service Level Agreement (SLA) feature, which allows incident managers to define conditions and time limits for the incident response teams to respond to specific incidents within the stipulated SLAs.
How do we solve this problem?
Using this feature, incident response managers can define SLAs based on the combination of parameters such as incident type, incident severity, business units affected, and geographic location. This customization also allows incident managers to define SLAs based on their order of priority for incident resolution and enables automated assignment of SLAs to appropriate incidents.
Create Incident Response SLAs
What are Incident Response SLAs?
Service Level Agreement (SLA) enables administrators to configure the time limits to update incidents based on the SLA type. You can create multiple SLAs based on the type, severity, business unit, and location of the incidents. With SLAs, you can:
Define a standard time limit to assign, notify, and respond to an incident.
Set breach limits to alert the incident response teams when an SLA is about to breach.
Monitor the SLA breach status of the incidents in the Incident Dashboard.
Configure multiple levels of escalations when the assignment and resolution SLAs are breached.
You can configure two types of SLAs for incidents - Assignment SLA and Resolution SLA.
Assignment SLA: The time duration between the opening of an incident and the assignment of the incident to a responder. This SLA refers to the triaging phase of an incident. This SLA is crucial for maintaining high levels of operation efficiency and ensuring that incidents get picked up for resolution in a timely and effective manner. The below screenshot shows an example assignment SLA that gets automatically assigned to incidents with High priority and Phishing incident types. Additionally, you can set breach limits to alert the incident response teams when an SLA is about to breach.
Resolution SLA: The time duration between the user assignment time of an incident and the closure of the incident. This SLA refers to the post-triage phase of an incident. This SLA is crucial to determine the efficacy of the incident management process and underlines the importance of timely resolution of incidents. The below screenshot shows an example resolution SLA that gets automatically assigned to incidents with High priority and Website Defacement incident types.
Create Escalations
You can create escalations to notify Incident Managers about SLA breaches through email. The escalation roster enables you to configure the recipients of the escalation emails for various stages of the SLA breaches, such as SLA warning, SLA breach, SLA threshold 1 breach, and SLA threshold 2 breach. You can configure CFTR users and non-CFTR users as recipients. Additionally, you can map multiple escalation rosters to an SLA.
You can use an escalation roster for both assignment and resolution SLAs of incidents.
The below screen shows an example of how to create an escalation matrix and add email recipients for every stage of the escalation process.
Quickly view the SLA Breach time
You can easily check the SLA time for an incident at the top of the incident summary. The timer uses green, amber, and red colors to indicate different states of SLA breach. Green indicates that the SLA is not breached, Amber indicates that the SLA is about to be breached, and Red indicates that the SLA has already been breached.
Benefits
MTTD and MTTR Widgets
Real-time SLA status tracking widgets on the Dashboard provide an aerial view of the performance of incident response teams. Incident response managers can use this feature to identify gaps in important metrics like MTTR and MTTD and take prompt remedial action.
Respond Effectively to High Priority Attacks
Ensure adept response to critical attacks by instituting incident response Service Level Agreements (SLAs). These SLAs offer distinct guidelines and response times for addressing security incidents, guaranteeing that your organization is well-equipped to manage security threats promptly and efficiently.